OpenStack Keystone Single Sign-On (SSO) Setup

In an earlier blog, we discussed how to setup Federated Identity for Openstack Keystone so that a Service Provider (SP) Keystone instance can hand off authentication to an external service, called the Identity Provider (IdP). One of the benefits with this is to enable OpenStack Keystone Single Sign-On (SSO), via APIs or Horizon dashboard, so that a single login can provide access to multiple services. This blog will give an overview of how to setup KeyStone Single Sign-on for Web access.

How websso login with Keystone works

Credit: http://wikipedia.org

Initial request for a resource e.g. a Nova API

This begins a redirect to a specific IdP based on the protocol

The browser displays the IdP’s login form. When the user enters credentials, the browser POSTs credentials to IdP.

On success, the IdP returns a XHMTL form with a SAML token

The browser then post the SAML assertion to the SAML endpoint in Shibboleth on the Keystone server.

Shibboleth responds with a redirect back to the original auth URL.

Shibboleth redirects back to Keystone, this time with a Shibboleth cookie, and request the target resource again

Since the user is now authenticated, Keystone will issue JavaScript code that redirects the web browser to the originating Horizon. An unscoped federated token will be included in the form being sent. The unscoped token can now be scoped and then used to call OpenStack APis

The configuration files for both OpenStack Keystone and Horizon need to be updated to enable SSO. The detailed steps are listed below. As a prerequisite, Keystone must be run under Apache by following the steps available here

Updates to Keystone Configuration

Update trusted_dashboard in keystone.conf file This value will specify one or more URLs of trusted OpenStack Horizon servers. This ensures that Keystone communicates token data back with trusted servers only, to prevent man-in-the-middle (MITM) attacks.

Update httpd vhost file with websso information. The paths /v3/auth/OS-FEDERATION/websso/ and /v3/auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/websso must be access protected. This is performed so the request that originates from Horizon will use the same Identity Provider that is configured in keystone.

Update remote_id_attribute in keystone.conf The remote_id_attribute indicates the header that contains information about the IdP. For mod_shib this would be Shib-Identity-Provider

[saml2]
remote_id_attribute = Shib-Identity-Provider

Set remote_ids for a keystone identity provider A keystone identity provider may have multiple remote_ids specified so that the same identity provider resource may be used for multiple external identity providers. This removes the need to configure N identity providers in Keystone. For example, when Keystone has to be connected with a federation having multiple IdPs, and all share the same set of attributes and policies, then a single map can manage all IdPs in the SP Keystone.

$ openstack identity provider set --remote-id

Updates to OpenStack Horizon Configuration

In the configuration file local_settings.py

Set the Identity Service version

OPENSTACK_API_VERSIONS = { "identity": 3 }

Authenticate against Identity Server v3

OPENSTACK_KEYSTONE_URL = "http://keystone_ip:5000/v3"

Set the WEBSSO_ENABLED option to True to provide users with a updated login screen

WEBSSO_ENABLED = True

The updates below for the local_setting.py file are optional based on specific requirements

Create a list of authentication methods

The list includes Keystone federation protocols such as OpenID Connect and SAML, and also keys that map to specific identity provider and federation protocol combinations